Nginx

How to limit a part of the Extranet portal in Bitrix?

Good afternoon! There is a Bitrix portal, its public part (portal.company.ru) should be accessible only via VPN, and the portal.company.ru/extranet section should be accessible to the entire Internet.
By means of nginx I tried to make a restriction for VPN access, it works fine:

location / {

               allow <ext_office_IP>;
               allow <ext__office_IP>;
               deny all;
                proxy_pass http://10.16.0.18:80;
                proxy_redirect http://10.16.0.18:80 /;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                }

And here are the nuances with the Extranet part:

location /bitrix/ {
                proxy_pass http://10.16.0.18:80;
                proxy_redirect http://10.16.0.18:80 /;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
        }

location /extranet/ {
                proxy_pass http://10.16.0.18:80;
                proxy_redirect http://10.16.0.18:80 /;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
        }

Since when entering the Extranet part, js and css are loaded from /bitrix, it gives 403 - it seems to have been solved by adding another location /bitrix, but after authorization in the Extranet, some links lead to portal.company.ru, which is available only over a VPN and I'm back with a broken trough with a 403 error. Could you please tell me how to set up the delimitation correctly.
Maybe there is a way to do this via map and $http_referer ?
Thanks.